Your Company Has Been Hit with Ransomware: What’s the Best Response?

Organizations hit with ransomware must first decide if they are going to pay the ransom. Although law enforcement adheres to a strict party-line policy of not negotiating with the extortionists, nuances do exist.

Companies need to understand the full spectrum of options, how interactions with the criminals may evolve and how to position the business to withstand an attack. Here’s a checklist that details how to respond:

  1. Understand the context. Ransomware has become big business. Analysts estimate that businesses paid more than a billion dollars in ransoms in 2016. And this year, one organization alone estimated that the Petya ransomware attack cost the company nearly $300 million in losses. WannaCry, another major attack that the NSA connected to North Korea last spring, tied up more than 300,000 machines in 150 countries.
  2. Make quick, but well-informed decisions. When the extortion demand arrives, the company may only have a matter of hours to make a decision. Past experience shows that cybercriminals will negotiate with their victims. For instance, when Nayana Communications was subjected to extortion for its data, the Nayana CEO was able to achieve a reduction from an initial demand of $1.6 million to the eventual $1 million paid. In other examples, discounts and deadline extensions were granted by three out of four separate cybercriminal gangs when researchers contacted them posing as victims. If the company does decide to pay, haggling can work.
  3. Consider if paying the ransom makes sense. If the company decides to pay, there’s no guarantee it will get its data back. The ransomware business model depends on a sense of trust between the victim and the extortionist. If the ransom is lower than the business cost of recovering without paying the attackers, and the victim remains confident that acquiescing will result in file restoration, it makes sense to pay the ransom.
  4. Get the attackers to decrypt your data. From a high-level view, it is in the attackers’ best interest to decrypt their victims’ files. That’s how they make their money. If trust erodes, then the calculation for the victim will change and payments will cease as the victim deduces that capitulation will not result in data restoration.
  5. Deploy optimal backups. The company should have a robust backup process that’s continually generating fresh copies of the organization’s data, providing business continuity against physical and cyber threats. Hopefully, these backups will only be hours old – one day at most – and are continuously tested. While restoring backups remains the optimum solution, many incident response teams report having been called to help organizations recover from a ransomware attack, only to find backups that are out-of-date or not functional. It’s absolutely vital that rigorous and regular tests of backups take place.
  6. Consider a forensic response. For a forensic response, the company must analyze both the compromised machines and, if available, the ransomware itself. The company wants to identify a way of either recovering the data from the machine in the hopes that the encryption has not correctly executed, or identify a flaw in the implementation of the encryption algorithm in the malware. A forensic response takes time and a high level of technical expertise. If the company only has hours – or at best days – to decide between paying the ransom or forever losing critical data, a forensic response won’t succeed. Seek out the No More Ransom Project, a group of experts from academia, law enforcement and industry that formed to help organizations respond to and mitigate ransomware attacks. The alliance’s website hosts one of the best collections of decryption tools available and should be used as a resource in any forensic response.

Beyond backups and forensics, companies can simply accept the data loss and work to implement preventive measures to significantly reduce the probability of a successful attack. Organizations will need a strong mix of awareness training, patching and defense-in-depth to keep extortionists at bay.

This blog first appeared on DXC Technology Blog

Chris Moyer

Author: Chris Moyer

Chris Moyer is the DXC Technology Chief Technology Officer for the business group and leads the DXC Mobility and Workplace practice. As the CTO, Chris leads a trusted group of technical advisors, providing technology roadmaps, applying innovation and governing solutions that deliver business outcomes for clients. As the leader of the Mobility and Workplace Practice, he is responsible for establishing the services portfolio DXC clients use as the window into their information – whether in an office or on the road. Supporting over 500 different clients and 6 million devices, the Practice provides CIOs with secure delivery of information assets to their organizations and customers. Chris Moyer is currently also working with Microsoft on a joint Go to Market strategy.